If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Uninitialized disk
Hi All,
I came across a Windows computer yesterday that had a 4 GB disk that Disk Manager wanted to initialize. That would make it a raw disk right out of the wrapper (or someone had at it with `dd`). Am I correct that the various backup programs (Marcuim Reflect, etc.) out there that write to hidden directories still require an initialized, partitioned, and formatted drive? If so, then it was just an extra drive no one ever initialized, partitioned, and formatted for use. Otherwise I have to hunt down who is using the drive. (They use a Cloud based backup service and everything is working on the computer. Well, after I had at it.) Many thanks, -T Hopefully I did not typo any limey swear words this time! :'( |
Ads |
#2
|
|||
|
|||
Uninitialized disk
T wrote:
Hi All, I came across a Windows computer yesterday that had a 4 GB disk that Disk Manager wanted to initialize. That would make it a raw disk right out of the wrapper (or someone had at it with `dd`). Am I correct that the various backup programs (Marcuim Reflect, etc.) out there that write to hidden directories still require an initialized, partitioned, and formatted drive? If so, then it was just an extra drive no one ever initialized, partitioned, and formatted for use. Otherwise I have to hunt down who is using the drive. (They use a Cloud based backup service and everything is working on the computer. Well, after I had at it.) Many thanks, -T Hopefully I did not typo any limey swear words this time! :'( On a "uninitialized" disk, you can scan with TestDisk. It will look for a sector with "NTFS" in it. On a 4TB drive, you'd be "nuts" to be doing this for fun. Only do that, if you really suspect there is data on it, data that you need. ******* If you're good with HxD... https://mh-nexus.de/en/hxd/ if you run the executable as Administrator, there is a menu item somewhere on the right, that opens disks for raw I/O. In there, you can open the 4TB drive, and skim through the first megabyte or so, looking for a sector with "NTFS" as a string in it. That could be an NTFS file system header. Vista+ uses megabyte alignment, and as long as some clever person didn't leave a "gap" at the front, you might spot some evidence of previous usage. The policy at disk drive companies has changed over the years, and today there probably isn't a file system on *internal* OEM bagged drives. If you pulled that drive from a USB enclosure, the "consumer" approach to drives means adding a file system for "comfort". So Seagate or WDC could have put something on there, rather than your client. On a GPT disk, the first 128MB could be GPT partition table entries, and the 129th MB could contain the first "NTFS" sector. HxD really isn't any better than TestDisk, but you'll also not be tempted to sit there for eight hours, watching the track counter tick up :-) ******* I'm sure you'll think of some whizzy heuristic that quickly tells you what the disk was used for. Factory initialization does not guarantee the disk is zeroed, and some other recurring hex pattern may be on there. Modern drives are likely to use a "scrambler" on the circuit board, so writing all zeros doesn't really put any kind of "flat line" signal on the disk. The signal at the head level, on a zeroed disk, is quite likely to be wavy gravy. If you're bored, you could run Photorec or Recuva or... well, you get the idea. Those can scan for files by their metadata headers (EXIF, the word "GIF87" or whatever). So if some plaintext data was stored on there at one time, then a recovery tool may spit out 100,000 garbage files in no time. Paul |
#3
|
|||
|
|||
Uninitialized disk
T wrote:
I came across a Windows computer yesterday that had a 4 GB disk that Disk Manager wanted to initialize. That would make it a raw disk right out of the wrapper (or someone had at it with `dd`). Am I correct that the various backup programs (Marcuim Reflect, etc.) out there that write to hidden directories still require an initialized, partitioned, and formatted drive? If so, then it was just an extra drive no one ever initialized, partitioned, and formatted for use. Otherwise I have to hunt down who is using the drive. (They use a Cloud based backup service and everything is working on the computer. Well, after I had at it.) 4 GB is very v-e-r-y VERY small. If GB was the correct sizing, I suspect what you see as a "drive" is not a disk but either a small partition on the disk or unallocated space on the disk. Many times you cannot get all space on a disk to allocate to within a partition. The sizing of the disk isn't a multiple of the sizing of clusters within a partition. For example, for my "256GB" SSD, 9 MB cannot be assigned to a partition. I don't remember how big I've seen the unallocated section that is too oddball to put into a partition but 4 GB sounds too big. That's why I suspect it is a partition that is a drive on a disk along with other drives (partitions) on the same disk. Backup programs can backup by sector (within a partition). I haven't used any backup programs that will copy sectors of unallocated space on a disk. Backup programs usually do logical image/file backups by using a file system (within a partition). You cannot have any file system until after you format a partition. Formatting structures the partition by establishing a file table within the partition and updating the partition tables back in the MBR/GPT block. I've not used a backup program that uses hidden folders for itself. There are snapshot programs that use rootkit-style drivers to hide their clusters from the normal OS file API commands, like Comodo's Time Machine (very flaky, corrupts file systems, abandoned) and other snapshotting programs but I don't consider those "backup programs". These tools are saving their snapshots on the same drive so they want to hide them to prevent accidental deletion or corruption of their snapshots. Some just use file system attributes to prevent accidental erasure of snapshots: their folders are "hidden". An example are virtual disk tools where their driver redirects all file I/O into their virtual disk instead of to the physical disk, and upon boot their driver discards the virtual disk (or doesn't use it) so the OS and programs are back to writing on the real disk (well, writing to the virtual disk is writing to the physical disk but you get what I mean). Unlike virtual machines, virtual disk tools had you writing to the real disk instead of an emulated one so there was no performance hit (other than their driver doing file I/O redirects). Typically these are referred to as rollback tools; e.g., Deep Freeze, Rollback Restore Rx and its little brother Reboot Restore Rx (that latter one nailed me, too), Microsoft's SteadyState (discontinued), the one that comes in Acronis True Image (forget its name), ToolWiz Time Machine (free), and Returnil's Virtual System or System Safe Free (no longer available, no free version any more, went to payware-only QuietZone which, I think, was just web-centric virtualization but that failed and returnilvirtualsystem.com died). This is not the same a VMMs (Virtual Machine Managers) that create .vhd or other virtual disk (VD) files within the file system within a partition that are virtual machines to load within the restricted or sandboxed environment of the guest OS running in an VM. Their VDs are not hidden in the host's file system. I'm not sure what all you consider is a backup tool. Backup can mean different things to different users. "Initialize" in Disk Manager means to add a unique (to all disks initialized within Windows) 4-byte hash value to the drive ID record in the MBR/GPT block. That allows identifying the disk no matter what is its order of physical detection. The disk can be moved to another port or even to a different controller and its physical enumeration will change but the OS can still identify the disk as the same one by its drive ID which allows the OS to keep the drive letter assignment in place after moving a disk. Initializing also determine the type of boot block created in sector 0 of the hard disk: MBR or GPT. Initializing is typically performed on new disks (that have not been pre-formatted from the factory since almost all have been for quite a while). It will wipe the partition table. This is why folks think you lose your data when you initialize. The data hasn't been touched until you follow with partitioning (which doesn't write outside the partition table) and writing to the partitioned areas. That's why you can use recovery tools after partition tables have been corrupted or erased to relocate where the partitions might've been or to recover data from sectors where there are no longer partitions defined with file systems to cover that area of the disk. Initializing doesn't erase anything. It's the later formatting which causes loss of tracking the clusters and then later writing that actually obliterates the content of those clusters. Initialization does not format a drive. Initialization does wipe the partition records in the partition table. Initialization does add a drive sig to the MBR/GPT so the OS can track the disk. The disk sig is used by Windows to track mounting of partitions on disk(s). Initialization will synchronize the drive sig written into the MBR/GPT with the one recorded in the registry. Initialization doesn't work at the partition level. It works on the disk level. So all the mentioned actions occur on the disk level. If you have other partitions on that same disk with the 4 GB partition or unallocated space, initializing that disk erases the partition records. You did not mention if the 4 GB partition or unallocated space is the only partition or only unallocated block on that disk. https://technet.microsoft.com/en-us/...(v=ws.11).aspx http://www.multibooters.com/tutorial...re-in-mbr.html Some backup programs create a "hidden" partition in which to store their backup files; e.g., Acronis Secure Zone and Paragon Backup Capsule. Both use the same technique because developers from one changed to the other employer. They hide the partition by NOT assigning a drive letter to the partition and by using a non-standard partition type value in the partition record in the partition table in the MBR/GPT. Without a drive letter (the volume is not mounted), most programs, including most malware, cannot find the backup files to encrypt, delete, or corrupt them. The non-standard partition type attempts to keep Windows and drive tools at bay. Formatting is standard, though, using FAT32. However, 4 GB sounds pretty tiny for a hidden partition to store backup files but then you didn't mention the other partition size(s). |
#4
|
|||
|
|||
Uninitialized disk
On 07/18/2017 09:41 AM, VanguardLH wrote:
4 GB is very v-e-r-y VERY small Sorry, 4TB. I constantly keep calling TB BG. :-( |
#5
|
|||
|
|||
Uninitialized disk
On 07/18/2017 12:10 PM, T wrote:
On 07/18/2017 09:41 AM, VanguardLH wrote: 4 GB is very v-e-r-y VERY small Sorry, 4TB. I constantly keep calling TB BG. :-( GB |
#6
|
|||
|
|||
Uninitialized disk
T wrote:
On 07/18/2017 12:10 PM, T wrote: On 07/18/2017 09:41 AM, VanguardLH wrote: 4 GB is very v-e-r-y VERY small Sorry, 4TB. I constantly keep calling TB BG. :-( GB Yeah, my keyboard is failing, too. Must be my keyboard. Can't be me. |
#7
|
|||
|
|||
Uninitialized disk
On Tue, 18 Jul 2017 17:50:34 -0500, VanguardLH wrote:
T wrote: On 07/18/2017 12:10 PM, T wrote: On 07/18/2017 09:41 AM, VanguardLH wrote: 4 GB is very v-e-r-y VERY small Sorry, 4TB. I constantly keep calling TB BG. :-( GB Yeah, my keyboard is failing, too. Must be my keyboard. Can't be me. You must be younger than I am! vbg |
#8
|
|||
|
|||
Uninitialized disk
On 07/18/2017 02:10 PM, T wrote:
On 07/18/2017 09:41 AM, VanguardLH wrote: 4 GB is very v-e-r-y VERY small Sorry, 4TB. I constantly keep calling TB BG. :-( I've sometimes make the mistake of using KB for RAM in modern computers. The first computer I bought (in 1982) had 5KB (5120 bytes) of RAM. -- Mark Lloyd http://notstupid.us/ "COFFEE.EXE Missing - Insert Cup and Press Any Key to continue." |
#9
|
|||
|
|||
Uninitialized disk
On 07/18/2017 03:50 PM, VanguardLH wrote:
T wrote: On 07/18/2017 12:10 PM, T wrote: On 07/18/2017 09:41 AM, VanguardLH wrote: 4 GB is very v-e-r-y VERY small Sorry, 4TB. I constantly keep calling TB BG. :-( GB Yeah, my keyboard is failing, too. Must be my keyboard. Can't be me. No, not the keyboard. All me. I have the greatest keyboard ever created: a Unicomp buckling spring keyboard. |
#10
|
|||
|
|||
Uninitialized disk
On 07/19/2017 11:57 AM, Mark Lloyd wrote:
On 07/18/2017 02:10 PM, T wrote: On 07/18/2017 09:41 AM, VanguardLH wrote: 4 GB is very v-e-r-y VERY small Sorry, 4TB. I constantly keep calling TB BG. :-( I've sometimes make the mistake of using KB for RAM in modern computers. The first computer I bought (in 1982) had 5KB (5120 bytes) of RAM. I am always calling GB of ram, MB. I have to constantly correct myself. I remember strutting over 512 KB of ram! |
Thread Tools | |
Display Modes | Rate This Thread |
|
|